xloader | a6c85b5033ddf405500fef8230c295b94da31e866755b5f58901b89853af1419

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe
Size

847KB
MD5

07c99ae811a2c467a1a2677faabf7cd5
SHA1

5443cfc115615e2af5a1e98edc6ea0f6372fd5b8
SHA256

a6c85b5033ddf405500fef8230c295b94da31e866755b5f58901b89853af1419
SHA512

24b393771cb75748469a1408b43009afd9998c0ac76093786305feb8a5da45f78e5193da2d0d4badc298160871c1aa08180295d1a8ff5bcaaab2c047a5a4cf56
SSDEEP

12288:46VMjOZnxsnIcXpN0j0jmWBJElTVte9lvcTkt6X1LWqtD2biwzIJY:46V3nxsYcux49lGk2LWqhuL

Score

10^/10

xloader ianv loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ianv

Decoy

toysclass.com

baohiemthuduc.com

dronesracers.com

wallis-platform.com

waltermorgan.fitness

vsn-designs.com

cengjing.life

trackcatologueorders.com

newworkpay.com

brainywoodindia.com

myrtlebeachstripperstoyou.com

saori.cloud

10fastvpn.com

freemindsweden.com

phatsquares.com

pandemia.tienda

7560eads6.com

sabjidada.com

zhyingj.group

nailmanicurest.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4320-5-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe

description	pid	Process	procid_target
PID 4904 set thread context of 4320	4904	07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe

pid	Process
4320	07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe
4320	07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe

description	pid	Process	procid_target
PID 4904 wrote to memory of 4320	4904	07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe	96
PID 4904 wrote to memory of 4320	4904	07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe	96
PID 4904 wrote to memory of 4320	4904	07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe	96
PID 4904 wrote to memory of 4320	4904	07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe	96
PID 4904 wrote to memory of 4320	4904	07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe	96
PID 4904 wrote to memory of 4320	4904	07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\07c99ae811a2c467a1a2677faabf7cd5_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4320-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4320-8-0x00000000013B0000-0x00000000016FA000-memory.dmp

Filesize
3.3MB

Download
memory/4320-9-0x00000000013B0000-0x00000000016FA000-memory.dmp

Filesize
3.3MB

Download
memory/4904-0-0x0000000074C12000-0x0000000074C13000-memory.dmp

Filesize
4KB

Download
memory/4904-1-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/4904-2-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/4904-3-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/4904-4-0x0000000074C12000-0x0000000074C13000-memory.dmp

Filesize
4KB

Download
memory/4904-7-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download